Commit Graph

74 Commits

Author SHA1 Message Date
Timo Aaltonen
43654c973c ipaplatform: Add NTPD_OPTS_VAR and NTPD_OPTS_QUOTE to constants
https://fedorahosted.org/freeipa/ticket/5343

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-11-04 13:12:12 +01:00
Timo Aaltonen
24ebdf90a5 ipaplatform: Add SECURE_NFS_VAR to constants
https://fedorahosted.org/freeipa/ticket/5343

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-11-04 13:12:12 +01:00
Timo Aaltonen
489c24837c ipaplatform: Add NAMED_USER to constants
https://fedorahosted.org/freeipa/ticket/5343

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-11-04 13:12:12 +01:00
Timo Aaltonen
874b6d9f28 ipaplatform: Add HTTPD_USER to constants, and use it.
https://fedorahosted.org/freeipa/ticket/5343

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-11-04 13:12:12 +01:00
Petr Vobornik
fff31ca220 topology: manage ca replication agreements
Configure IPA so that topology plugin will manage also CA replication
agreements.

upgrades if CA is congigured:
- ipaca suffix is added to cn=topology,cn=ipa,cn=etc,$SUFFIX
- ipaReplTopoManagedSuffix: o=ipaca is added to master entry
- binddngroup is added to o=ipaca replica entry

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-10-15 14:24:33 +02:00
Simo Sorce
d03619fff3 Implement replica promotion functionality
This patch implements a new flag --promote for the ipa-replica-install command
that allows an administrative user to 'promote' an already joined client to
become a full ipa server.

The only credentials used are that of an administrator. This code relies on
ipa-custodia being available on the peer master as well as a number of other
patches to allow a computer account to request certificates for its services.

Therefore this feature is marked to work only with domain level 1 and above
servers.

Ticket: https://fedorahosted.org/freeipa/ticket/2888

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-10-15 14:24:33 +02:00
Simo Sorce
463dda3067 Add ipa-custodia service
Add a customized Custodia daemon and enable it after installation.
Generates server keys and loads them in LDAP autonomously on install
or update.
Provides client code classes too.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-10-15 14:24:33 +02:00
Timo Aaltonen
7059117ec3 paths: Add GENERATE_RNDC_KEY.
Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-10-05 17:45:51 +02:00
Milan Kubík
c22c60b87c ipatests: configure Network Manager not to manage resolv.conf
For the duration of the test, makes resolv.conf unmanaged.
If NetworkManager is not running, nothing is changed.

https://fedorahosted.org/freeipa/ticket/5331

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-10-02 14:01:50 +02:00
Jan Cholasta
4c39561261 install: fix kdcproxy user home directory
https://fedorahosted.org/freeipa/ticket/5314

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-09-23 16:29:49 +02:00
Jan Cholasta
859590337a platform: add option to create home directory when adding user
https://fedorahosted.org/freeipa/ticket/5314

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-09-23 16:29:49 +02:00
Tomas Babej
cfeea91828 ipa-backup: Add mechanism to store empty directory structure
Certain subcomponents of IPA, such as Dogtag, cannot function if
non-critical directories (such as log directories) have not been
stored in the backup.

This patch implements storage of selected empty directories,
while preserving attributes and SELinux context.

https://fedorahosted.org/freeipa/ticket/5297

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-09-22 13:17:25 +02:00
Jan Cholasta
5137478fb8 install: support KRA update
https://fedorahosted.org/freeipa/ticket/5250

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2015-09-17 14:55:54 +02:00
Endi S. Dewata
72cfcfa0bd Using LDAPI to setup CA and KRA agents.
The CA and KRA installation code has been modified to use LDAPI
to create the CA and KRA agents directly in the CA and KRA
database. This way it's no longer necessary to use the Directory
Manager password or CA and KRA admin certificate.

https://fedorahosted.org/freeipa/ticket/5257

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-09-07 18:01:13 +02:00
Martin Basti
e7a876d88a DNSSEC: remove ccache and keytab of ipa-ods-exporter
Reusing old ccache after reinstall causes authentication error. And
prevents DNSSEC from working.

Related to ticket: https://fedorahosted.org/freeipa/ticket/5273

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2015-09-03 18:15:58 +02:00
Petr Viktorin
3bf91eab25 Use Python3-compatible dict method names
Python 2 has keys()/values()/items(), which return lists,
iterkeys()/itervalues()/iteritems(), which return iterators,
and viewkeys()/viewvalues()/viewitems() which return views.

Python 3 has only keys()/values()/items(), which return views.
To get iterators, one can use iter() or a for loop/comprehension;
for lists there's the list() constructor.

When iterating through the entire dict, without modifying the dict,
 the difference between Python 2's items() and iteritems() is
negligible, especially on small dicts (the main overhead is
extra memory, not CPU time). In the interest of simpler code,
this patch changes many instances of iteritems() to items(),
iterkeys() to keys() etc.

In other cases, helpers like six.itervalues are used.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-09-01 11:42:01 +02:00
Endi S. Dewata
8676364ae8 Removed clear text passwords from KRA install log.
The ipa-kra-install tool has been modified to use password files
instead of clear text passwords when invoking pki tool such that
the passwords are no longer visible in ipaserver-kra-install.log.

https://fedorahosted.org/freeipa/ticket/5246

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-08-26 13:49:57 +02:00
David Kupka
db88985c0d Backup/resore authentication control configuration
https://fedorahosted.org/freeipa/ticket/5071

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-08-19 14:13:00 +02:00
Martin Babinsky
83db1de096 fix typo in BasePathNamespace member pointing to ods exporter config
Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-08-17 18:46:30 +02:00
Martin Basti
92828d3cf5 DNS: check if DNS package is installed
Instead of separate checking of DNS required packages, we need just
check if IPA DNS package is installed.

https://fedorahosted.org/freeipa/ticket/4058

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-21 17:30:10 +02:00
Tomas Babej
a487e42d3f ipaplatform: Add constants submodule
Introduce a ipaplatform/constants.py file to store platform related
constants, which are not paths.

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2015-07-21 17:29:33 +02:00
David Kupka
2defc486ab cermonger: Use private unix socket when DBus SystemBus is not available.
https://fedorahosted.org/freeipa/ticket/5095

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-07-20 14:28:09 +00:00
Martin Basti
e151492560 DNSSEC: allow to disable/replace DNSSEC key master
This commit allows to replace or disable DNSSEC key master

Replacing DNSSEC master requires to copy kasp.db file manually by user

ipa-dns-install:
--disable-dnssec-master  DNSSEC master will be disabled
--dnssec-master --kasp-db=FILE  This configure new DNSSEC master server,  kasp.db from old server is required for sucessful replacement
--force Skip checks

https://fedorahosted.org/freeipa/ticket/4657

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2015-07-07 08:37:15 +02:00
Tomas Babej
ccbf267872 ipaplatform: Remove redundant definitions
The variables path_namespace and task_namespace in the base platform
are not used anywhere in the rest of the codebase and are just
debris from previous implementation.

This patch removes them.

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-02 13:04:23 +02:00
Jan Cholasta
e9c9e3f009 ipaplatform: Do not use MagicDict for KnownServices
https://fedorahosted.org/freeipa/ticket/3090

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-07-01 13:05:30 +00:00
Gabe
37729936dd Clear SSSD caches when uninstalling the client
https://fedorahosted.org/freeipa/ticket/5049

Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
2015-06-30 12:59:19 +02:00
Petr Spacek
ee84c6ae78 Rate-limit while loop in SystemdService.is_active().
Previously is_active() was frenetically calling systemctl is_active in
tight loop which in fact made the process slower.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-06-29 13:39:07 +02:00
Christian Heimes
495da412f1 Provide Kerberos over HTTP (MS-KKDCP)
Add integration of python-kdcproxy into FreeIPA to support the MS
Kerberos KDC proxy protocol (MS-KKDCP), to allow KDC and KPASSWD
client requests over HTTP and HTTPS.

- freeipa-server now depends on python-kdcproxy >= 0.3. All kdcproxy
  dependencies are already satisfied.
- The service's state is configured in cn=KDC,cn=$FQDN,cn=masters,cn=ipa,
  cn=etc,$SUFFIX. It's enabled, when ipaConfigString=kdcProxyEnabled is
  present.
- The installers and update create a new Apache config file
  /etc/ipa/kdcproxy/ipa-kdc-proxy.conf that mounts a WSGI app on
  /KdcProxy. The app is run inside its own WSGI daemon group with
  a different uid and gid than the webui.
- A ExecStartPre script in httpd.service symlinks the config file to
  /etc/httpd/conf.d/ iff ipaConfigString=kdcProxyEnabled is present.
- The httpd.service also sets KDCPROXY_CONFIG=/etc/ipa/kdcproxy.conf,
  so that an existing config is not used. SetEnv from Apache config does
  not work here, because it doesn't set an OS env var.
- python-kdcproxy is configured to *not* use DNS SRV lookups. The
  location of KDC and KPASSWD servers are read from /etc/krb5.conf.
- The state of the service can be modified with two ldif files for
  ipa-ldap-updater. No CLI script is offered yet.

https://www.freeipa.org/page/V4/KDC_Proxy

https://fedorahosted.org/freeipa/ticket/4801

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2015-06-24 10:43:58 +02:00
David Kupka
4d05b5d18d Use 389-ds centralized scripts.
Directory server is deprecating use of tools in instance specific paths. Instead
tools in bin/sbin path should be used.

https://fedorahosted.org/freeipa/ticket/4051

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-06-11 13:16:06 +02:00
Jan Cholasta
e7ac57e139 vault: Fix ipa-kra-install
Use state in LDAP rather than local state to check if KRA is installed.
Use correct log file names.

https://fedorahosted.org/freeipa/ticket/3872

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-06-10 16:17:34 +00:00
Jan Cholasta
81729e22d3 vault: Move vaults to cn=vaults,cn=kra
https://fedorahosted.org/freeipa/ticket/3872

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-06-10 16:17:34 +00:00
Martin Babinsky
5a741b614f explicitly destroy httpd service ccache file during httpinstance removal
during IPA server uninstall, the httpd service ccache is not removed from
runtime directory. This file then causes server-side client install to fail
when performing subsequent installation without rebooting/recreating runtime
directories.

This patch ensures that the old httpd ccache is explicitly destroyed during
uninstallation.

https://fedorahosted.org/freeipa/ticket/4973

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-05-19 12:59:18 +00:00
Martin Basti
9f049ca144 Server Upgrade: Verify version and platform
Verify version and platform before upgrade or ipactl start|restart

Upgrade:
* do not allow upgrade on different platforms
* do not allow upgrade data with higher version than build has

Start:
* do not start services if platform mismatch
* do not start services if upgrade is needed
* do not start services if data with higher version than build has

New ipactl options:
--skip-version-check: do not validate IPA version
--ignore-service-failures (was --force): ignore if a service start fail
      and continue with starting other services
--force: combine --skip-version-check and --ignore-service-failures

https://fedorahosted.org/freeipa/ticket/4904

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2015-05-04 11:16:26 +00:00
Martin Basti
0a1a3d7312 DNSSEC CI tests
Tests:
* install master, replica, then instal DNSSEC on master
  * test if zone is signed (added on master)
  * test if zone is signed (added on replica)

* install master with DNSSEC, then install replica
  * test if root zone is signed
  * add zone, verify signatures using our root zone

https://fedorahosted.org/freeipa/ticket/4657

Reviewed-By: Milan Kubik <mkubik@redhat.com>
2015-04-14 19:29:36 +02:00
Nathan Kinder
a58b77ca9c Timeout when performing time sync during client install
We use ntpd now to sync time before fetching a TGT during client
install.  Unfortuantely, ntpd will hang forever if it is unable to
reach the NTP server.

This patch adds the ability for commands run via ipautil.run() to
have an optional timeout.  This capability is used by the NTP sync
code that is run during ipa-client-install.

Ticket: https://fedorahosted.org/freeipa/ticket/4842
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-03-16 15:55:26 +01:00
Martin Babinsky
55b7eed77e Use 'remove-ds.pl' to remove DS instance
The patch adds a function which calls 'remove-ds.pl' during DS instance
removal. This should allow for a more thorough removal of DS related data
during server uninstallation (such as closing custom ports, cleaning up
slapd-* entries etc.)

This patch is related to https://fedorahosted.org/freeipa/ticket/4487.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-01-27 13:35:06 +01:00
Jan Cholasta
b9ae769048 Make certificate renewal process synchronized
Synchronization is achieved using a global renewal lock.

https://fedorahosted.org/freeipa/ticket/4803

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-01-13 18:34:59 +00:00
Jan Cholasta
7b0149f32b Improve validation of --instance and --backend options in ipa-restore
https://fedorahosted.org/freeipa/ticket/4744

Reviewed-By: David Kupka <dkupka@redhat.com>
2014-12-09 13:46:29 +00:00
Petr Viktorin
a14ce85357 Do not restore SELinux settings that were not backed up
https://fedorahosted.org/freeipa/ticket/4678

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-11-19 15:47:45 +01:00
Martin Basti
7c176b708e Fix named working directory permissions
Just adding dir to specfile doesnt work, because is not guarantee the
named is installed, during RPM installation.

Ticket: https://fedorahosted.org/freeipa/ticket/4716
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-11-18 18:49:42 +00:00
David Kupka
e28eb13907 Remove service file even if it isn't link.
(Link to) service file from /etc/systemd/system/ must be removed before masking
systemd service.

https://fedorahosted.org/freeipa/ticket/4658

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-11-13 13:53:23 +01:00
Petr Viktorin
e60ef1fe02 ipaplatform: Use the dirsrv service, not target
IPA only uses one instance of the directory server. When an instance
is not specified to a call to service.start/stop/restart/...,
use IPA's instance.

Stopping a systemd service is synchronous (bby default), but stopping
a target is not. This will change ensures that the directory server
is actually down when stop() finishes.

https://fedorahosted.org/freeipa/ticket/4709

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-11-13 10:49:17 +00:00
Jan Cholasta
2639997dfe Fix CA certificate backup and restore
Backup and restore /etc/pki/ca-trust/source/ipa.p11-kit.

Create /etc/ipa/nssdb after restore if necessary.

https://fedorahosted.org/freeipa/ticket/4711

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-11-11 16:13:52 +01:00
David Kupka
82c3c2b242 Remove unneeded internal methods. Move code to public methods.
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-11-11 09:18:30 +01:00
David Kupka
364d466fd7 Respect UID and GID soft static allocation.
https://fedoraproject.org/wiki/Packaging:UsersAndGroups?rd=Packaging/UsersAndGroups#Soft_static_allocation

https://fedorahosted.org/freeipa/ticket/4585

Reviewed-By: Martin Basti <mbasti@redhat.com>
2014-11-05 15:22:51 +01:00
Endi S. Dewata
0b08043c37 Fixed KRA backend.
The KRA backend has been simplified since most of the tasks have
been moved somewhere else. The transport certificate will be
installed on the client, and it is not needed by KRA backend. The
KRA agent's PEM certificate is now generated during installation
due to permission issue. The kra_host() for now is removed since
the current ldap_enable() cannot register the KRA service, so it
is using the kra_host environment variable.

The KRA installer has been modified to use Dogtag's CLI to create
KRA agent and setup the client authentication.

The proxy settings have been updated to include KRA's URLs.

Some constants have been renamed for clarity. The DOGTAG_AGENT_P12
has been renamed to DOGTAG_ADMIN_P12 since file actually contains
the Dogtag admin's certificate and private key and it can be used
to access both CA and KRA. The DOGTAG_AGENT_PEM has been renamed
to KRA_AGENT_PEM since it can only be used for KRA.

The Dogtag dependency has been updated to 10.2.1-0.1.

https://fedorahosted.org/freeipa/ticket/4503

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-11-04 16:33:16 +01:00
Martin Basti
30bc3a55cf DNSSEC: platform paths and services
Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417

Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2014-10-21 12:23:03 +02:00
Martin Basti
78018dd67d Add mask, unmask methods for service
This patch allows mask and unmask services in IPA

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2014-10-21 12:23:03 +02:00
Martin Basti
7ad70025eb Make named.conf template platform independent
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2014-10-14 13:55:02 +02:00
Martin Basti
97195eb07c Add missing attributes to named.conf
Ticket: https://fedorahosted.org/freeipa/ticket/3801#comment:31
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2014-10-14 13:55:02 +02:00